From: Haggai Eran <haggai.eran@gmail.com>
To: Larry Finger <Larry.Finger@lwfinger.net>
Cc: linux-wireless@vger.kernel.org
Subject: Re: [PATCH] staging: rtl8712: prevent buffer overrun in recvbuf2recvframe
Date: Tue, 19 May 2015 20:23:22 +0300 [thread overview]
Message-ID: <CAJ=9Czaqc5tVB50QBBhTG8xCQ4g93EspqvwnoMFjt3Wszvg+0g@mail.gmail.com> (raw)
In-Reply-To: <555B5C18.5000906@lwfinger.net>
On 19 May 2015 at 18:51, Larry Finger <Larry.Finger@lwfinger.net> wrote:
> On 05/19/2015 12:47 AM, Haggai Eran wrote:
>>
>> With an RTL8191SU USB adaptor, sometimes the hints for a fragmented
>> packet are set, but the packet length is too large. Truncate the packet
>> to prevent memory corruption.
>>
>> Signed-off-by: Haggai Eran <haggai.eran@gmail.com>
>> ---
>>
>> Hi,
>>
>> I think this solves the issue for me. I'll test it more thoroughly later.
>> I
>> still don't know why a fragmented packet has such a large pkt_len value
>> though.
>>
>> Thanks,
>> Haggai
>>
>> drivers/staging/rtl8712/rtl8712_recv.c | 6 +++++-
>> 1 file changed, 5 insertions(+), 1 deletion(-)
>
>
> I added a printout to your patch to log the values for tmp_len and alloc_sz
> when tmp_len > alloc_sz. In about 15 minutes of running, that print has not
> triggered. The condition only seems to happen on your system.
>
> Please replace your patch with my modified version and report the printed
> values.
I think you attached the original version, and not the one with the
prints. In any case, here are some example values I've seen:
[41727.150644] truncating packet: tmp_len = 3478, alloc_sz = 1658,
pkt_len = 3454, drvinfo_sz = 0
[41732.746346] truncating packet: tmp_len = 13484, alloc_sz = 1658,
pkt_len = 13460, drvinfo_sz = 0
[42044.508326] truncating packet: tmp_len = 9998, alloc_sz = 1658,
pkt_len = 9974, drvinfo_sz = 0
[42044.600013] truncating packet: tmp_len = 1982, alloc_sz = 1658,
pkt_len = 1958, drvinfo_sz = 0
[42044.677548] truncating packet: tmp_len = 11920, alloc_sz = 1658,
pkt_len = 11896, drvinfo_sz = 0
I think this issue may have started when I changed my home router /
access point from a LevelOne WDR-6001 to a TP-Link TL-WR1043ND. Could
these packets be trigerred somehow by a different interaction between
the access point and the wifi adapter?
In addition to these fragmented packets, by the way, I'm still seeing
by the way many packets that are dropped for other reasons, such as:
- invalid ver field
- seq_ctrl doesn't match in recv_decache
- sta2sta_data_frame failing for some reason
- packets with frame type 12.
Thanks,
Haggai
next prev parent reply other threads:[~2015-05-19 17:23 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-19 5:47 [PATCH] staging: rtl8712: prevent buffer overrun in recvbuf2recvframe Haggai Eran
2015-05-19 15:51 ` Larry Finger
2015-05-19 17:23 ` Haggai Eran [this message]
[not found] ` <CAJ=9Czay5pbi6p+n8SxXaJsWG4JR2p_vteKYbLxvoxLVtPQPaQ@mail.gmail.com>
2015-05-20 16:39 ` Larry Finger
2015-05-20 19:20 ` Haggai Eran
2015-05-23 17:24 ` Haggai Eran
2015-05-23 17:48 ` Larry Finger
2015-05-23 18:09 ` Haggai Eran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJ=9Czaqc5tVB50QBBhTG8xCQ4g93EspqvwnoMFjt3Wszvg+0g@mail.gmail.com' \
--to=haggai.eran@gmail.com \
--cc=Larry.Finger@lwfinger.net \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.